Bracket Computing Enhances Cloud Workload Protection Platform

Bracket Computing's overlay networking approach uses a technology known as a metavisor to help enforce security.

Bracket Computing is expanding its security platform with new services designed to help organizations easily encrypt data and segment networks.
Bracket Computing first emerged from stealth mode in October 2014 with its core Computing Cell technology for security virtualization and then expanded the effort in May 2015. Now, the company is taking its technology a step further.
The expanded Cloud World Protection Platform builds on Bracket Computing's core Computing Cell, which is powered by a technology called the metavisor. In the virtualization world, the term hypervisor is well known and understood to be the technology construct that enables virtual machines, with popular hypervisors including VMware ESX, Microsoft Hyper-V as well as the open-source Xen and KVM efforts.
"So organizations have applications running on top of an operating system and the next layer down is the metavisor, and that's the place we put the security services," Tom Gillis, CEO and co-founder of Bracket Computing, told eWEEK.

The metavisor is a type of hypervisor that is designed to run on top of a traditional hypervisor, Gillis explained. The metavisor only virtualizes the input/output path of application operations while the traditional hypervisor performs the hardware abstraction. Bracket Computing has many customers that run Docker containers on top of the metavisor, Gillis said.

With the new release of Bracket Computing's platform, encryption capabilities have been enhanced, he said. The initial release of the Computing Cell enabled encryption of data at rest, and now the platform enables encryption for data in motion. Bracket Computing is now providing an enhanced cryptographic assurance capability for applications running on a Computing Cell.
"We have the ability to take a known good image, encrypt that image and then put that image on a cloud," Gillis said. "In order to boot the encrypted image, we can reach back to the cryptographic key server to get the key."
The cryptographic assurance will also check for any potential policy violations before enabling an image to be booted. Policies can include checking for country of origin as well as making sure the right public access controls are in place before the application is deployed.
Simply having a policy for what can or cannot be booted is only one element of the Computing Cell, Gillis explained. "So, when you attach a data volume to a server, we can map a policy around that to allow organizations to do microsegmentation that is totally independent of infrastructure," Gillis said.
As such, a policy for access can be simply expressed; for example, a given application can only be accessed by a certain server and that server should not be accessible over the public Internet. Furthermore, Gillis said the policy can be enforced by way of the cryptographic assurance capability to maintain integrity.
Microsegmentation is an increasingly popular approach in modern networking as a way to reduce the attack surface present in the network. Among the common ways to enable microsegmentation is through the use of microservices engines, such as Docker containers and software-defined networking (SDN) technologies. Bracket Computing is not making use of containers or traditional SDN to enable its microsegmentation, Gillis said.
"We have a Layer 7 overlay that sits on top of an existing network," he said. "We provide an approach that understands content, applications and users, and doesn't care about IP addresses and the physical infrastructure."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.